Skip to content
CVE-2026-59235 ·
High · July 15, 2026

Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts

S0
Secur0 CNA
CVE-2026-59235

Description

Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated low-privileged attacker (for example, the "User"/"Usuario" role) to read all bank account records belonging to their company by sending an authenticated request to the endpoint, because the API route is protected only by the auth:api middleware and enforces no permission check (unlike the equivalent web route, which requires can('read bank')), and the handler retrieves records with Account::where('company_id', Auth::user()->company_id)->get(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (IBAN, SWIFT/BIC, and account identifiers) to users who should not have access to it.

Vulnerability type (CWE)

CWE-862: Missing Authorization

Affected versions

Prospero Flow CRM after 4.6.0 and before 5.5.3. The vulnerable endpoint was introduced after 4.6.0 and fixed before the 5.5.3 tag, so no tagged release shipped vulnerable. Default status: unaffected.

Score (CVSS 4.0)

High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Solution

Upgrade to version 5.5.3 or higher.

Patch

Commit 57bb5721

Credits

  • David Moreno Urbanos - finder
  • YoyoDavelion - finder
  • Xoán M. Otero Jorge - analyst
  • Cristian Fernández Cornejo - analyst
  • Secur0 CNA - coordinator
  • Gustavo Novaro - remediation developer Discovery source: External Official record: CVE-2026-59235